Reserved Fields

The chart below lists the a set of reserved fields that cannot be used for mapping fields when configuring conditions in Log Stream. There are two situations in Log Stream where these fields are restricted from use:

Parser Field Extraction – During parser creation in Log Stream, when defining how a parser should extract value from a raw log, you can decide which fields to extract value from and how to map them to Exabeam fields. The set of reserved fields listed below may not be used for building mapping extracted field values.
Enrichment Rules – When building custom enrichment rules on the Enrichments tab in Log Stream, you can build conditions that will map field data from raw logs to Exabeam common information model (CIM) fields. The set of reserved fields listed below may not be used for configuring this field mapping.

`_metadata_version`	`activity_type`	`activity`	`agent_ephemeral_id`
`approxLogTime`	`builder_name`	`cimCompliant`	`collector_timestamp`
`coreFieldsMissed`	`dest_device_entity_id`	`dest_user_entity_id`	`detectionFieldsMissed`
`fields`	`fieldTypesVersion`	`id`	`ingest_time`
`ioc_domain`	`ioc_email`	`ioc_ip_v4`	`is_ioc`
`landscape`	`legacy_activity_type`	`log`	`msg_type`
`outcome`	`parsed`	`parser_version`	`platform`
`product_category`	`product`	`raw_log_size`	`raw_log_time_format`
`raw_log_time`	`rawLogIds`	`rawLogs`	`security_criticality`
`site_id`	`source_device_entity_id`	`source_user_entity_id`	`subject`
`tier`	`type`	`vendor`	`xml`

In addition to the list above, fields that begin with the following prefixes also cannot be used:

exa_
m_ (Exception – The following metadata fields can be used for mapping fields when building enrichment rules but not when defining parser field extractions: m_tags, m_site_id, m_site_name

Log StreamLog Stream Guide

Table of ContentsTable of Contents

Reserved Fields